openspec-sync-specs
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
openspec list --jsoncommand to retrieve a list of available changes. This command is executed locally to provide the user with a selection menu through the AskUserQuestion tool. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It reads markdown files representing 'delta specs' and performs 'intelligent merging' into main specification files. An attacker capable of modifying these delta spec files could embed instructions that manipulate the agent's editing logic or file-writing behavior.
- Ingestion points: Content is read from markdown files located at
openspec/changes/<name>/specs/*/spec.mdandopenspec/specs/<capability>/spec.md. - Boundary markers: The agent lacks explicit delimiters or instructions to ignore embedded directives within the markdown data, relying instead on structural headers (e.g., ## ADDED Requirements).
- Capability inventory: The agent can execute local CLI tools (
openspec) and perform arbitrary file writes and creations within the target specification directories. - Sanitization: There is no evidence of sanitization, escaping, or schema validation for the input markdown content before it is processed and written to the filesystem.
Audit Metadata